A dangerous vulnerability in a widely used server software has set alarm bells ringing among IT experts. The German Federal Office for Information Security (BSI) raised its warning level for the vulnerability from orange to red on Saturday. According to the statement, there have been attempts at attacks worldwide, some of which have been successful. "The extent of the threat situation cannot currently be conclusively determined," warned the office, which is also responsible for the IT security of the German government.

The vulnerability is located in a frequently used library for Java software. The vulnerability could allow attackers to execute their software code on the servers under certain circumstances. This could allow them to run their malicious programs there, for example. The vulnerability is limited to some older versions of the library called Log4j. However, no one has a complete overview of where the vulnerable versions of Log4j are being used.

Unseen by internet users, a race between IT experts and online criminals to automatically search for vulnerable servers was underway over the weekend. "At the moment, the priority is to find out how widespread the problem really is," said Rüdiger Trost from IT security company F-Secure. "Unfortunately, not only security teams but also hackers are working overtime to find the answer."

Attacks through the back door expected

Particularly insidious: attackers could now use the gap to install inconspicuous backdoors for themselves, Trost warned. "The actual attacks will certainly only take place weeks or many months later."

To make matters worse, at least some attackers may have had more lead time than initially assumed. The problem became public knowledge after the vulnerability was discovered on servers for the online game 'Minecraft' on Thursday. However, the IT security company Cloudflare subsequently discovered that attack attempts targeting the vulnerability had been in circulation since at least December 1. However, there were only attacks on a broad front at the weekend.

Log4j is a so-called logging library. It is used to record various events in server operation as in a logbook - for example, for later analysis of errors. The vulnerability can be activated simply by a specific character string appearing in the log, for example in a message. This makes it rather easy to exploit, which has experts very worried. At the same time, the systems of large providers usually have multi-layered protection mechanisms.

Not only online systems at risk

IT security companies and Java specialists worked over the weekend to patch the vulnerability. An update is now available for the affected versions of the open-source Log4j library. However, its protection only takes effect when service operators install it. The firewall specialist Cloudflare has therefore installed a mechanism for its customers to block attacks. Experts warned that not only online systems are at risk. A QR scanner or a contactless door lock, for example, could also be attacked if they use Java and Log4j, Cloudflare emphasized.

The US IT security authority CISA formed a working group with the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA), among others. "This vulnerability poses a significant risk," CISA stated. It emphasized that consumer security would depend on the measures taken by service providers.

"If the manufacturers provide updates, these should be installed immediately," the BSI also recommended to companies. "It is not yet known in which products this library is used, which means that it is not yet possible to estimate which products are affected by the vulnerability," the agency qualified.

The vulnerability also once again highlights a well-known problem in the tech industry: open source software such as Log4j is designed and maintained by small teams of programmers who are often not paid for it. However, it is then adopted by large companies as a cost-effective solution. Although open source software is generally considered secure because its source code is public and can be checked by everyone, some errors are still overlooked.